File Carving In Depth

“File carving,” or sometimes simply “carving,” is the process of extracting a collection of data from a larger data set. Data carving techniques frequently occur during a digital investigation when the

unallocated file system space is analyzed to extract files. The files are “carved” from the unallocated space using file type-specific header and footer values.

so File carving isn't file Recovery as in the last you need file system structure .. let's have this topic in some details J

File carving is a powerful technique for recovering files and fragments of files when directory entries are corrupt or missing. The block of data is searched block by block for residual data matching the file type-specific header and footer values. Carving is also especially useful in criminal cases where the use of carving techniques can recover evidence. In certain cases related to child pornography, law enforcement agents are often able to recover more images from the suspect’s hard disks by using carving techniques .

Carving deals with the raw data on the media and doesn’t use the file system structure during its process. A file system (such as FAT16, FAT32, NTFS, EXT, and others) is a structure for storing and organizing computer files and the data they contain. Although carving doesn’t care about which file system is used to store the files, it could be very helpful to understand how a specific file system works. In the FAT file system for example, when a file is deleted, the file’s directory entry is changed to show that the file is no longer needed (unallocated). The first character of the filename is replaced with a marker, but the file data itself is left unchanged. Until it’s overwritten, the data is still present.

Carving makes use of the internal structure of a file. A file is a block of stored information like an image in a JPEG file. A computer uses file name extensions to identify files content.

File Recovery techniques make use of the file system information that remains after deletion of a file. By using this information, many files can be recovered. For this technique to work, the file system information needs to be correct. If not, the files can’t be recovered. If a system is formatted, the file recovery techniques will not work either.

Files are stored in file systems :

• Windows (FAT 12/16/32, NTFS)

• Linux (Ext2/Ext3/Ext4, Reiser)

• Mac (HFS, HFS+/HFSX)

• File systems store data in clusters or blocks

• Files are usually stored sequentially by the OS on media

So recovery has some levels from delete to recycle bin and empty it to format disk and overwrite some data or even bad sector :D .

General File Carving Techniques

The most common general file carving techniques are:

• Header-footer or header- “maximum file size” carving

• File structure based carving

• Content based carving

Header-footer Carving

• Recover files based on known Header and Footers or

maximum file size

• JPEG: “\xFF\xD8” header and “\xFF\xD9” ‘footer’

• GIF: “\x47\x49\x46\x38\x37\x61” header and “\x00\x3B”

footer

• PST: “!BDN” header and no footer

• If the file format has no footer a maximum file size is

used in the carving program

• Known header footers carvers are Scalpel, Foremost

and File finder (EnCase)

File Structure Based Carving

• This technique uses the internal layout of a file

• Elements are header, footer, identifier strings and size

information

• Known carvers which use this technique are Foremost

and PhotoRec

Content-based Carving

• Content structure

• Loose structure (MBOX, HTML, XML)

• Content characteristics

• Character count

• Text/Language recognition

• White and Black listing of data

• Statistical attributes (Chi^2)

• Information entropy

remember : File carving is a recovery technique that merely considers the contents and structures of files instead of file system structures or other meta-data which is used to organize data on storage media .

file carving terminology

Tools :

There are different carving tools available. Most of them are open source, and others are commercial solutions offered by companies. Due to the fact that carving is a developing technique, more and more tools are becoming available. Some of the most commonly used carving tools are:

• Foremost—Originally designed by the US Air Force, it is a carver designed for recovering files based on their headers, footers, and internal data structures

• Scalpel—Scalpel is a rewrite of Foremost focused on performance and a decrease of memory usage. It uses a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is file system independent and will carve files from FATx, NTFS, EXT2/3, or raw partitions. Scalpel will not allow you to output to the same directory you’re carving from.

• Photorec—Photorec is a data recovery software tool designed to recover lost files from digital camera storage media (CompactFlash, Memory Stick, Secure Digital, SmartMedia, Microdrive, MMC, USB flash drives, and others), hard disks, and CD-ROMs. It recovers most common photo formats, audio files, document formats, such as Microsoft Office, PDF, HTML, and archive/compression formats. A complete list of supported file formats can be read on the Photorec website. PhotoRec does not attempt to write to the damaged media from where recovery is being performed. Recovered files are instead written to the directory from where you are running PhotoRec or any other directory you choose.

More information about data carving tools and recovery tools can be found on forensicwiki .

Datasets :

• FAT carving test dataset (15 files)

• DFRWS 2006 challenge image (32 files)

References :
http://www.mcafee.com/in/resources/white-papers/foundstone/wp-intro-to-file-carving.pdf

https://digital-forensics.sans.org/summit-archives/2010/eu-digital-forensics-incident-response-summit-bas-kloet-advanced-file-carving.pdf

http://www.fhstp.ac.at/forschung/institute_bereiche/institutfueritsicherheitsforschung/publikationen/tavolato/MM_FileCarving.pdf

You wanna be certified : OSCP

Offensive Security Certified Professional

one of the most elite certification in security world . practical guide to pen testing although I don't have this Cert. but I found some small guides that will help us let's share . you have to complete Penetration Testing with Kali Linux (PWK) course 

Prerequisites :

Logic To write Code , TCP/IP ,  Linux

this all resources I have found it useful :

 

1- Pentesting with Backtrack/OSCP Review
2- Penetration Testing w/ BackTrack (OSCP) Course Review
3- My Journey to OSCP … complete blog
4- OSCP and Me
5- Offensive Security’s PWB and OSCP — My Experience
6- OSCP Series
7- OSCP at a glance
8- My OSCP Experience
9- Pentesting With BackTrack (PWB) & Offensive Security Certified Professional (OSCP) Reviews 2013
10- Offensive Security PWB (OSCP) – A Review
11- Offensive Security Certified Professional

Diskware of Hard disk

Although
i have a fucken' exam tomorrow in GIS But it doesn't matter :D :D .... press power on button of your Pc or Lap then you can Sound small sound from your Bios POST ensures that every thing is ok all is ready to boot OS . But what about Hard disk ?? What happen when it receive power ??
I have learned something on that let's share with you :)

when Hard disk is powered on , the first thing is checking for a return status from the chip to ensure that electronics are functioning and every thing is ok . then like Bios the Hard disk does something like POST but for it's components ( Self- Check ) and wait for another return status . to start properly the two return status must have been returned then the next is to spin up the spindle .

spindle has been spinned up , platters begin to revolve , we need to un-mount head from its parking position to reach system area and read its firmware but head doesn't reach system area until it read servo timing firmware which contains the location and geographic info for each sector . reading process happen without any touch from head to platter otherwise physical damage to platter so RIP hard disk :D . head gets the location and geographic info for each sector so it can reach System Area and reads its sectors . what's system area ?

System Area (SA) : some sectors always on the extreme outer edge of platter which contain all hard disk information . these information differs from hard disk drive also the family . it has some different names like diskware , maintenance tracks , Calibration Area , Initialization Area , Reserved Cylinders .
System Area Info or Modules :

1. Smart Data
2. System Logs
3. Serial Number
4. Model Numbers
5. P-List (Primary Defects List –  manufacture defect info that does not change)
6. G-List (Grown Defects Lists – sector relocation table)
7. Program Overlays – Firmware, Executable Code, or updates
8. Zone Tables .
9. Servo Parameters

10. Specific Tables like RRO – (recalibrate repeatable run-out and head offsets)
11. Test Routines
12. Factory Defaults Tables
13. Recalibration Code Routines
14. Translator Data:
    a. Converts Logical and Physical Address to locations on the drive
    b. Heads and Track Skewing Info
15. Security Data Passwords for drive – possible encrypted info.

Each module occupies a UBA block. The information contained in the system area is critical to the operation of the drive electronics, so as a result manufacturers have designed drives where this information is copied to other places, such as the outer edge of another platter. This is the manufacturers method of maintaining fault tolerance.

  System Area Architecture :

SA consists of UBA ( Utility Block Addressing ) which are sector blocks logically grouped together that contain a specific module .
The UBA area is inaccessible over the standard interface .also , commands deals with them are previously specified by manufacturer and not made publically available but you can access it by some boxes like PC3000 and more J . UBA1 blocks occupy 3 sectors and contains the bad area list. UBA2 blocks occupy 2 sectors and contain information such as the drive ID and other modules .It should be noted, that every access to the hard disk is made via the hard disk controller. There is no way to bypass the controller .The controller limits access to the data area on the disk. Other areas are not accessible in the normal operation mode.

but you can crack password on locked hard disk drives by tools hardware or software which needs knowledge with ATA commands , HDD Architecture and some digital forensics that's with software . for using hardware any box can access SA and erase password like PC3000 which I have dealt with simple and easy to use but you will still like a jerk clerk , you don't know what has happened in background you just follow instructions by others you will loss knowledge , basics :)  

Finally .. I have made a small tool can get some hard disk information using C# and WMI specially class Win32_DiskDrive .
Output like this :)  :

References :

1- Forensics & Data Recovery book by Scott A. Moulton .

2- Hard disk ATA Security by Adrian Leuenberger .
3- articles at http://www.hddguru.com , http://www.datarecovery.net .
4- Hard Disk System Area . by Peter J. Vis .
5- HDD from inside . by Artem Rubtsov .

6- http://www.geekpedia.com/tutorial233_Getting-Disk-Drive-Information-using-WMI-and-Csharp.html

thanks for my bro Adham Mohammed for his help :) . 

It's Wireless .. it's Crackable , Journey into Wireless card modes

Firstly I'm sorry I know I'm too late in writing this article but I had a lot of troubles . let's start in our new article . you need to crack wireless networks around you this can be easy process a cup of coffee , some needed hardware backtrack or kali or even backbox or any Linux distribution with air crack package airmon , airodump …… etc.

 Feel free to install Linux on physical or virtual the most vital part in all process is your wireless card especially it's chipset . your embedded card in laptop can only work to connect you :D ( only Egyptians will understand what behind connect you ) to internet but we need to know password of wireless network so we have to sniff traffic between client and router then you need to capture packets contain this pass then analyze it or crack to get pass .. your target .

Some external wireless cards have the ability to sniffing in especial mode to capture packets depends on chipset of card . not all external cards support linux so we will go here a little to know the best for this .After we get card assuming this Alfa or tp-link you have to connect it and start configuration to start process that's ok we all do this to get internet but what about capture packets or inject it let's know more . remember we use card differently .

first mode managed mode :

When you use card normally to connect to an access point to get connection so we all had done this before that's normal .

Second mode promiscuous mode :

That's what we need monitor mode .. monitor for action , promiscuous for position . In this mode you can sniffing network data , perform attacks .

we are only able to see the Ethernet (802.3) data when we are connected, and not the wireless (802.11) traffic, which is what we want to be able to use. What this means is with 802.3 traffic, you will see the normal web traffic and other normal network information with 802.11 traffic, you will see the wireless data that is used to communicate over wireless networks

  finally you can visit packtup.com you will find a lot of books which will be useful for all levels beginner , intermediate and advanced for securing and cracking wireless networks . Also some useful courses from securitytube.com like Wlan Security , Air-Crack Megaprimer and you tube have some useful tuts too .
remember to share what you learn … Happy Cracking :) .

Hack A fingerprint …. Mission Accomplished

Firstly let's know the basics :) :

Fingerprints are the tiny ridges, whorls and valley patterns on the tip of each finger. They form from pressure on a baby's tiny, No two people have been found to have the same fingerprints -- they are totally unique. There's a one in 64 billion chance that your fingerprint will match up exactly with someone else's.

Fingerprints are even more unique than DNA, the genetic material in each of our cells. Although identical twins can share the same DNA -- or at least most of it -- they can't have the same fingerprints.

Fingerprinting is one form of biometrics, a science that uses people's physical characteristics to identify them. Fingerprints are ideal for this purpose because they're inexpensive to collect and analyze, and they never change, even as people age.

Crime Scene Scenario

 
let your mind free , imagine :D .. you are a criminal investigator like Kudo Shinichi ( great animation I think you should watch it :) )
let's go …..

With respect to a crime scene .. what about fingerprint impressions ???

at a crime scene involves three different types of fingerprint impressions: latent, patent, and plastic.

 A latent print is not visible to the naked eye, which means a person must process the scene and enhance the latent print using black powder or chemicals.

A patent print is visible without processing and includes fingerprints left in blood, oil, and dirt.
A plastic print is a three-dimensional impression where the friction ridge skin of the finger sinks into a surface, such as window caulk.
 

Fingerprint Patterns :

Once fingerprints have been located at a crime scene, either the item is collected or the print is powdered and lifted using tape or a fingerprint lifter. The recovered print is then identified as one of the three main categories of prints : Loop , Arch and Whorl .

Loop :

A loop is a pattern in which the ridges of the print enter on one side, curve in the middle, and exit out the same side. The loop is the most common type of fingerprint pattern and can be sub classified as either an ulnar loop or a radial loop. An ulnar loop has the opening of the ridges pointing toward the little finger of the hand, which is closest to the ulna bone of the forearm. A radial loop has the opening of the ridges pointing toward the thumb of the hand, which is closest to the radial bone of the forearm .

Arch :

An arch is a pattern in which the ridges enter on one side of the print and exit out the opposite side with a slight rise in the center. The arch can be sub classified as either a plain arch or a tented arch. A plain arch has a slight rise in the center of the print, as opposed to a tented arch, which has a very steep rise in the center of the print.

Whorl :

A whorl is a pattern in which the ridges have a circular or swirled center. A whorl can be sub classified as a plain whorl, a central pocket loop whorl, a double loop whorl, or an accidental whorl.


FINGERPRINT 10-PRINT CARD :

Inked prints are patent or visible to the naked eye due to the fact that reproduction of the friction ridge skin is completed using black printers’ ink. An inked fingerprint card is completed by law enforcement at the time of arrest, for employment applications ,and for pistol permits. The fingerprint card or 10-print card is arranged into three sections: information, rolled impressions, and plain impressions. The information section on the card contains relevant data regarding the person being printed and the individual completing the card. The rolled impression portion of the card contains 10 individual fingers rolled from nail to nail. The plain or flat impression portion of the card contains the 10fingerprints placed directly onto the card .A fingerprint card is arranged by right hand over left hand ,always starting at the right thumb and moving through to the right little and then left thumb to left little. When rolling a fingerprint, the investigator should have a firm hold of the hand or finger of the individual and start with finger#1, right thumb and work through to finger #10, left little. Each finger should be checked for proper ink distribution and rolled from one side to the other side. Never roll back and forth because this will cause a distortion of the ridge detail .

Then you need Fingerprint Processing :

In order to visualize latent prints at a crime scene, the crime scene technician must use fingerprint powder and a fingerprint brush to dust the areas where suspected fingerprints are located. When a darkened fingerprint is exposed with the brush-and-powder technique, the fingerprint can then be lifted as evidence and saved for future comparisons at the crime laboratory. All enhanced fingerprints at crime scenes should be saved even if you cannot determine the pattern type with the naked eye. That's a small guide in some details : Here .

Fingerprint Scanner :

Fingerscanning, also called fingerprint scanning, is the process of electronically obtaining and storing human fingerprints. The digital image obtained by such scanning is called a finger image. In some texts, the terms fingerprinting and fingerprint are used, but technically, these terms refer to traditional ink-and-paper processes and images.

Finally Hacking Apple touch ID :D :

iPhone 5S fingerprint sensor hacked by Germany's Chaos Computer Club

                                

After These long introduction with great information some are important and other for further reading . this is practical approach for what we have red but you will face problems like labs , tools and more but i think we can even determine fingerprints and extract it for anything we want 3:) .. I won't say this is for educational purpose only but sharing is caring .. knowledge is a flow and I'm not an expert  :) :)

Recommended Resources :

fingerprint analysis
Image Processing Basics
Apple Touch ID and NSA
Fingerprints used in Forensic Investigations

Ahmed Hashad Security Researcher @ 701 Labs
Twitter , Facebook

Hard Disk Drive in depth

Firstly what's hard disk drive ?

A hard disk drive (HDD) is a nonvolatile storage device that stores data on a magnetic disk .

Nonvolatile means that data remains after computer is switched off . Data is written on the disk by magnetizing particles within a magnetic material in a pattern that represents the data. The hard disk is able to read back this data by detecting the magnetic patterns created during the write process .

Main Parts Hard disk at a glance :

 HDD have two main parts : PCB ( Printed Circuit Board ) and HDA ( Head and disk assembly ) .

 -->PCB :

any PCB have green mask , copper tracks , core i.e ( fiber glass ) , Components and solder to join components with skeleton PCB . 

in our case HDD : there are number of ICS as Buffer Ram , MCU ( Microcontroller Unit ) , Rom Chip and Motor Driver  also some components like Ceramic Capacitors , SMT Coils , Motor Contacts , Head Stack Contacts and Interface like P-ATA , S-ATA …etc. 

MCU : MCU usually consists of Central Processor Unit or CPU which makes all calculations and Read/Write channel - special unit which converts analog signals from heads into digital information during read process and encodes digital information into analog signals when drive needs to write. MCU also has IO ports to control everything on PCB and transmit data through interface.

Motor Driver  or (VCM Controller ) : This fellow is the most power consumption chip on PCB. It controls spindle motor rotation and heads movements. The core of VCM controller can stand working temperature of 100C/212F.

Rom chip : rom which  contains firmware of hard disk . When you apply power on a drive, MCU chip reads content of the flash chip into the memory and starts the code. Without such code drive wouldn't even spin up. Sometimes there is no flash chip on PCB that means content of the flash located inside MCU .  

buffer Ram : Size of the memory defines size of the cache of HDD. you can find such information in data sheet on this HDD . CPU eats some memory to store some firmware modules and as far as we know only Hitachi/IBM drives show real cache size in data sheets for the other drives you can just guess how big is the real cache size .

-->HAD :

HDA has 4 major components :

Spindle , Platter , Head and Actuator

Spindle :A spindle holds one or more platters, it is connected to a motor that spins the platters at a constant revolutions per minute (RPM) .

Platter : A platter is the disk that stores the magnetic patterns. It is made from a nonmagnetic material, usually glass or aluminum, and has a thin coating of magnetic material on both sides.

>> a platter can spin at a speed of 7,200 to 18,000 RPM. The cost of an HDD increases for a higher speed.

Head :The read-write head of an HDD reads data from and writes data to the platters. It detects (when reading) and modifies (when writing) the magnetization of the material immediately underneath it. Information is written to the platter as it rotates at high speed past the selected head.

>> There is one head for each magnetic platter surface on the spindle, these are mounted on a common actuator arm.

 Actuator :An actuator arm moves the heads in an arc across the spinning platters, allowing each head to access the entire data area,similar to the action of the pick-up arm of a record deck.

Another concept must be known is The performance of an HDD which is measured using the following parameters:

Capacity : The number of bytes an HDD can store. The current maximum capacity of an HDD is 4TB.

Data transfer rate : The amount of digital data that can be moved to or from the disk within a given time. It is dependant on the performance of the HDD assembly and the bandwidth of the data path.

• The average data transfer rate ranges between 50-300 MB per second.

Seek time : The time the HDD takes to locate a particular piece of data. The average seek time ranges from 3 to 9 milliseconds .

Some important concepts about Disk Storage system :

The surface of a disk is formatted into invisible concentric bands called tracks, on which data are stored magnetically. A typical 3.5" hard drive may contain thousands of tracks. Moving the read/write heads from one track to another is called seeking. The average seek time is one type of disk speed measurement. Another measurement is RPM (revolutions per minute), typically 7,200 . The outside track of a disk is track 0, and the track numbers increase as you move towards the center. 

 

A cylinder refer s to all tracks accessible from a single position of the read/write heads .A file is initially stored on a disk using adjacent cylinders.This reduces the amount of movement by the read-write heads.

A sector is a 512-byte portion of a track, as shown in Figure 14-2. Physical sectors are magnetically (invisibly) marked on the disk by the manufacturer, using what is called a low-level format. Sector sizes never change, regardless of the installed operating system. A hard disk may have 63 or more sectors per track.

Physical disk geometry is a way of describing the disk 's structure to make it readable by the system BIOS .It consists of the number of cylinder s per disk,the number of read/write heads per cylinder, and the number of sectors per track.

Fragmentation Over time, as files become more spread out around a disk, they become fragmented.A fragmented file is one whose sectors are no longer located in contiguous areas of the disk. When this happens, the read -write heads have to skip across track s when reading the file's data.This slows down the reading and writing of files, and makes the data more susceptible to errors .

Translation to Logical Sector Numbers Hard disk controllers perform a process called translation,the conversion of physical disk geometry to a logical structure that is understood by the operating system.The controller is usually embedded in firmware,either on the drive itself
or on a separate controller card.After translation,the operating system can work with what are called logical sector numbers.Logical sector numbers are always  numbered sequentially, starting at zero .

 Partitions , volumes , Logical , Extended , Primary …. What are ?
On a typical microcomputer, a single physical hard drive is divided into one or more logical

units named partitions , or volumes . Each formatted partition is represented by a separate drive letter such as C, D, or E, and it can be formatted using one of several file systems .

A drive may contain two types of partitions: primary and extended. Two configurations are possible, depending on whether you want an extended partition:

• Up to three primary partitions and one extended partition.

• Up to four primary partitions and no extended partition.

An extended partition can be divided into an unlimited number of logical partitions.
Each logical partition appears as a separate drive letter. Primary partitions can be made bootable ,whereas logical partitions cannot. It is possible to format each system or logical partition with a different file system .in file system files stored in clusters where a cluster is the smallest unit of space used by a file; it consists of one or more adjacent disk sectors. A file system stores each file as a linked sequence of clusters . The size of a cluster depends on both the type of file system in use and the size of its disk partition.
 

Hint : Using assembly language, you can bypass the operating system completely when accessing data.This can be useful: you might have to store and retrieve data stored in an unconventional format, to recover lost data, or to perform diagnostics on disk hardware .

References : 

1-Assembly Language for Intel-based Computers by Kip Irvine
2- HDD from inside: Main parts Artem Rubtsov , www.hddscan.com
3- Hitachi Data Systems at www.hds.com .


Ahmed Hashad Security Researcher @ 701 Labs
Twitter , Facebook